godep unintentionally stripping license files from vendored libraries when target is a subdirectory #245
Comments
dropwhile
changed the title
|
Hmm. Godep uses go's own libraries/tools to handle package/file selection, which basically ignores everything that isn't a *.go file. This is unlikely to be a "trivial" fix. :-( |
|
It should be copying all files, not just |
|
Aha, it seems the license file is in a parent directory of all the go packages. Since godep copies only packages, it misses the parent directory. Yes, this would be difficult to fix. Although godep mainly operates on packages, it already has some special cases for the root of a repository. It is not too hard to imagine another special case that copies all regular files from the repo root of any dependency. (We still want to avoid simply copying the entire repo, because it might contain some very large packages that are unused and could otherwise be omitted.) |
|
Copying the files at the repo root would certainly be sufficient to cover consumers of my repos. However, I could potentially imagine someone doing something like this, no matter how confusing or possibly ill advised it may be. If the consumer simply imported Like I said, special casing the root would cover my needs though. |
|
Yeah, that would be reasonable as well. |
|
+1 for this. I think |
|
@ahmetalpbalkan Nope. I do not use godep. Someone using one of my libs had the license stripped (not cool as it means they were unknowingly noncompliant with just about any open source license when using godep), so I filed this ticket. |
|
@kr are you ok with having this feature preserving LICENSEs by default? |
|
I am okay with it. Basic implementation would be to do a case insensitive check for common License files (LICENSE, LICENSE.TXT, LICENSE.MD, ??) in the root of a repo and include the file if it exists. @ahmetalpbalkan Feel free to work on it and submit a PR when you are ready. |
|
FYI - https://github.com/ryanuber/go-license // A set of reasonable license file names to use when guessing where the
// license may be.
var DefaultLicenseFiles = []string{
"LICENSE", "LICENSE.txt", "LICENSE.md", "license.txt",
"COPYING", "COPYING.txt", "COPYING.md", "copying.txt",
"UNLICENSE",
}and I'm looking at adding |
|
@client9 the list above looks enough but I'm not sure if we need READMEs to be vendored. I know they might have a license clauses in them, but maybe include them if they contain the word “license”? |
|
@ahmetalpbalkan yeah, sorry I wasn't clear. I don't recommend you copy the readme unless it has license info (but even then you might not want to include that logic in godep). Im only updating go-license code to peek inside readmes as a last resort if a COPYING/LICENSE is missing. |
|
@client9 hmm maybe even that's a bit overkill. I think anyone serious with the licenses would just have it in a separate file. I also looked at go-license repo and spotted an issue with case-sensitivity in file names. Other than that, we should be able to just use it. |
|
yeah, you'd be amazed at the number of packages that just add a link in readme and call it a day. I attempt to file tickets to get the authors to convert to using a separate file, but... Agree they should ignore case. I'll hope to hack on go-license a bit more today. Thanks for looking into this and for your work in godep! |
|
Hi @ahmetalpbalkan , I think Im about done with a PR for go-license My guess is .. do you even care about the license itself? meaning you might just want a function "give me files that look like a license" (e.g. COPYING, LICENSE, etc) so you can copy it Anyways, let me know if you want a different API in Of note are // returns a []string of files in a directory, or error
func readDirectory(dir string) ([]string, error) |
|
@client9 I think a method returning license filenmes would be just fine. I don't think we need the would be more than enough. |
|
yeah that my thinking too.. ok will hack away! |
|
Looking into this a bit more, I think you want to copy a few more "files of interest". While most cases are handled by go-license there are number of other cases that don't quite fall into software license, that you may wish to copy as well. Im happy to write up (perhaps not in go-license) that captures all the examples below Let me know what you think. examples to follow: Ex: everything Facebook open sources is now BSD in one file, and patents file in another. https://github.com/facebookgo/startstop/blob/master/license Ex: other legal notices, eg. Docker stuff contains The following aren't go, but we can expect this as time goes on: Ex: Copying + Copyright Ex. Duplicate licenses in different files. Haven't seen so much so in go but some repos have COPYLEFT and COPYING/LICENSE Ex: More of everything. If one notice is good, more must be better these guys Sure have a license but also: Legal disclaimer Separate copyright And notice of other stuff Phew! |
|
@ahmetalpbalkan Recent changes I made to the vcs file listing commands should play well with this. vcs also now has a way to determine the repo root (since it's given the package path). |
|
Im happy to donate https://github.com/client9/gosupplychain/blob/master/license.go if it helps. Let me know if you'd like a pull request, and/or any file/function naming changes. regards, n |
|
@client9 A PR for the functionality described in this issue would be great! |
|
Pull request #301 ready for review @freeformz |
|
Ok I think see the code that needs to change, and nifty way of unit testing |
|
@client9 Go for it. My focus for the next week or so is elsewhere (other projects) unfortunately. I'm just trying to keep anything godep related (Issues/PRs) moving along until I can get back to working directly on things. |
|
Ok, not soo bad. It's a bit tricky since things are working in filesystem paths, but this seems to work. For each dependency, it walks backwards grabbing any license files, until it hits the top level. meaning if we have
There is a simple test case added. Next step is to make a fake app that uses |
|
pull request #301 updated, waiting for review. |
It appears godep strips license files and other data from dependencies when godep save is used.
I have a project which uses a nested subdirectory as the main entry point for most folks. When godep save is used by consumers of the library, this is the resulting file hierarchy.
Note the lack of a LICENSE file which is present in the original repository. This means projects using the repo in conjunction with godep would be in non-compliance with the license, wholly unintentionally.
There are several other projects which use similar hierarchy layouts. Here is one such example.
The text was updated successfully, but these errors were encountered: